[cryptography] Client certificates, Tor-exit nodes and renegotiation

Guido Witmond guido at witmond.nl
Fri Mar 14 18:09:53 EDT 2014

On 03/14/14 17:48, Tom Ritter wrote:

> Yes - sending client certificates over Tor will de-anonymize in the
> same way that sending your real name or username over HTTP over Tor
> will de-anonymize you.  Personally I consider this a flaw of TLS, not
> Tor, which does not protect the client certificate from either a
> passive or active adversary.  There were some proposals to move client
> certificates further into the handshake, and protect them against a
> passive and/or active adversary (depending on proposal) - but they did
> not have much traction and then Snowden happened and everyone is
> focused on TLS 1.3.

Thanks for confirming.

Ironically, lousy password over TLS and Tor are safer than strong client
certificates and Tor...

It seems that 1.3 addresses this problems entirely.

> A nit: when you say every "system on-route to the server", I assume
> you mean between the exit node and the HTTPS endpoint, in which case
> yes. If you mean every Tor intermediate node, then no.

Sorry, yes, I meant, from the exit node towards the server.

> Using TLS-renegotiation to send the client certificate inside an
> already-server-authenticated channel seems like it would work to me -
> I have not tried doing it with any library.

I'll give it a try.

Regards, Guido.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140314/4fd454c8/attachment.asc>

More information about the cryptography mailing list